AI Security Review
scanned 3d ago · by lpm-firewall-aiInstall-time code fetches an opaque native executable from GitHub into the package directory. The CLI later launches that executable with inherited environment variables. No direct malicious behavior is established in the inspected JavaScript.
Static reason
One or more suspicious static signals were detected.
Trigger
`npm install` downloads the payload; invoking `cux` executes it.
Impact
A remote, source-unavailable executable can act with the installing user's permissions when `cux` is run.
Mechanism
postinstall remote-binary staging followed by CLI execution
Rationale
This is an opaque remote payload carrier with weak source-pinned integrity, but the inspected JavaScript contains no confirmed exfiltration, destructive action, or install-time execution of the downloaded binary.
Evidence
package.jsoninstall.jsbin/cux.jsbin/cuxbin/cux.sha256
Network endpoints3
github.com/${repo}/releases/download/v${version}cux.inulute.com/docssupport.inulute.com
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `package.json` runs `node install.js` on `postinstall`.
- `install.js` downloads a platform-specific executable during installation.
- `CUX_RELEASE_REPO` can redirect downloads to another GitHub repository.
- Checksum is fetched from the same remote source and is not pinned in package source.
- `bin/cux.js` executes the downloaded binary with inherited environment.
Evidence against
- No shell, eval, credential harvesting, or direct exfiltration exists in inspected JavaScript.
- Postinstall only writes the package-local `bin/cux` executable and checksum.
- The downloaded executable is not run during installation.
- No AI-agent config or foreign control-surface write is present in inspected source.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
UrlStrings
CopyleftLicense
Source & flagged code
2 flagged · loading sourcepackage.jsonView file
•scripts.postinstall = node install.js
High
Install Time Lifecycle Scripts
Package defines install-time lifecycle scripts.
package.jsonView on unpkg•scripts.postinstall = node install.js
Medium
Ambiguous Install Lifecycle Script
Install-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgFindings
1 High3 Medium4 Low
HighInstall Time Lifecycle Scriptspackage.json
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowFilesystem
LowUrl Strings
LowCopyleft License